Web caches are network applications used to reduce network traffic and improve response times. Web caches work by storing static content on a network at intermediate locations. Static content encompasses items that rarely change. Once stored the information is available for repeated transmissions of the same content over an abbreviated portion of the network. By eliminating the need for the server to produce all of the requested information for each request, the effective bandwidth of the network is increased. Unfortunately, web caching does not currently apply to secure web content. Secure web content is sent encrypted using various protocols such as Transport Layer Security (“TLS”) or Secure Socket Layer (“SSL”). Such secure protocols use unique encryption keys known only to the connection endpoints. Each message therefore is independently secure. Consequently, intermediate web caches in a computer network do not store and retransmit secure static content since they cannot examine it to determine if it has changed. As far as the cache is concerned each message is unique effectively eliminating the purpose of a cache entirely. Hence, TLS and SSL are incompatible with the existing web caching architecture.
Transport Layer Security protocol is one of the most widely deployed protocols for securing communications on the World Wide Web (“WWW”) and is used by most E-commerce and financial web sites. It guarantees privacy and authenticity of information exchanged between a web server and a web browser. Currently, the number of web sites using TLS or SSL to secure web traffic is growing at a phenomenal rate. As the services provided by the World Wide Web continue to expand, so will the need for security. Unfortunately, TLS and SSL are incompatible with the current network design methodologies used in the Internet.
This incompatibility stems from the inherent nature of how a secure session is established. A TLS session, for example, between a web server and a web browser occurs in a number of phases. When a web browser first connects to a web server using TLS, the browser and server execute the TLS handshake protocol. The outcome of this protocol is a session encryption key and a session integrity key. These keys are known only to the web server and the web browser.
Once the session keys are established, the browser and server begin exchanging data. The data is encrypted using the session encryption key and protected from tampering using the session integrity key. When the browser and server are done exchanging data the connection between them is closed. If the browser and server subsequently reestablish a secure connection the browser and server may execute a resume handshake or establish a new set of session keys. A resume handshake protocol causes both server and browser to reuse the session key previously established during the initial handshake, and is more efficient, but requires the connection between the web server and web browser to be continuous. Thereafter, all application data is encrypted and protected using the previously established session keys.
Web caches are typically located on the network between the user and the web server being accessed. The web cache inspects all responses coming back from the server and stores in its memory all content that changes infrequently. This information is called static content. Examples of static content include the banner and the navigation buttons on the page. The next time a user requests this information the cache responds immediately with the information without contacting the web server. As a result, web caches dramatically reduce traffic on the network and reduce the response times to user requests.
A reverse proxy is similar to a web cache. The difference lies in where the reverse proxy is located and the type of content cached. While web caches are located close to the client processor so as to minimize response time, the reverse proxy is typically located close to the web server with the most common location being at the same site as the web server. The main goal of the reverse proxy is to reduce the load on the web server. Any time a request is received at the web site the reverse proxy first determines whether the response is already cached. If so, the reverse proxy responds itself without contacting the web server. Otherwise the request is sent to the web server. Inherent to the reverse proxy function is its ability to examine the request as well as the content of the cache to determine if the information stored fulfills the request.
Web caches and reverse proxies are ineffective when dealing with secure content. The problem lies in identification of repeated information. Secure content passing through these appliances is encrypted using a key known only to the end points, namely the web server and the web browser. Each web browser connected to the proxy passes through information that is unrecognizable to the cache. The web cache or the reverse proxy cannot interpret the data to determine if the data should be stored or if the data request matches any stored data. Hence it is useless to cache the encrypted information. Consequently, the existing infrastructure designed to make the Internet more efficient and faster becomes ineffective when dealing with secure content.